Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Cloud computing may sometimes accelerate application performance, help enable companies to quickly deliver business results, achieve greater productivity, realize a faster time to market, and result in increased customer satisfaction. It also provides the ability to store, share, and analyze large amounts of data, thereby helping to ensure that people have access to information at the right time which, in turn, can improve decision-making, employee productivity, and collaboration.
With the incremental success of cloud computing in enterprise environment, the inventors of the instant application anticipate that organizations will start adopting cloud computing to form a “Virtual Organization,” in which the enterprise environment may be able to leverage resources with suppliers and business partners and integrate business processes within the Virtual Organization. The inventors of the instant application have recognized that a possibility exists for business-to-business (B2B) solutions over the cloud, where each partner forms an entity within a Virtual Organization, providing for the sharing of data, sharing of CPU cycles, sharing of solutions, and possible sharing of costs as well. Customers may benefit by focusing on their core business and/or competencies, e.g., rather than worrying about “non-core” or fringe problems associated with infrastructure and/or integration issues. The cost of ownership may also be reduced via the kinds of Virtual Organizations imagined herein, making them more affordable to small and medium enterprises (SMEs). Furthermore, providing an integration server of the type offered by the assignee of the instant invention over the cloud to offer B2B solutions may help optimizations that the cloud may offer through parallel processing to be realized, reduce time to market, and enable flexible up and down scalability.
Given the concept of the Virtual Organization, it is possible that there could be sharing among and/or between different partners in the Virtual Organization in terms of resources that could include, for example, CPU cycles, disk space, executables, etc. MapReduce is an algorithm that helps build algorithmic constructs so that a task can be divided and distributed by a master onto different slave machines. Algorithms such as MapReduce involve the transfer of executables between machines, which the inventors of the instant application have recognized could be extended to partners crossing over organizational boundaries. In other words, with the advent of cloud computing, different organizations could partner to form a Virtual Organization and use optimizations such as MapReduce algorithms to reduce expenses, improve performance, etc.
Unfortunately, however, there are concerns with security restrictions, configurations, enforcements, etc., that are raised, for example, while executing executables from partners. The inventors believe that current cloud computing providers, independent researchers/organizations, and others unfortunately have not looked into such concerns.
Conventional cloud-based service providers have tackled security from the perspective of Access Controls to services offered on the cloud. Current offerings typically are in line with what Microsoft Azure provides, namely, where access to particular services is decided primarily against tokens issued by Access Control services. However, these security mechanisms do not take into account the sharing of resources to the extent that might ultimately become possible and to the extent visualized herein, e.g., in connection with Virtual Organizations. Indeed, conventional approaches to providing security in the cloud do not extend themselves to scenarios where the CPU cycles are to be shared through executables run on a partner's instance, for example. Finer grained controls and enforcement also are not currently possible.
Thus, it will be appreciated that there is a need in the art for improved security techniques for cloud computing especially, for example, where multiple organizations for a single Virtual Organization, e.g., to share the processing of executables.
One aspect of certain example embodiments relates to security techniques for Virtual Organizations involving, for example, multiple separate organizations coming together in a cloud computing environment to CPU cycles, disk space, and even executables, for instance.
Another aspect of certain example embodiments relates to the extension of cloud computing to different types of partner collaborations such as, for example, CPU cycle sharing.
Another aspect of certain example embodiments relates to fine grained security controls and enforcement techniques.
Still another aspect of certain example embodiments relates to a more seamless integration of B2B domain concepts, e.g., where security configurations are captured between partners as a part of partners' agreement.
In certain example embodiments, a computer-implemented method in a cloud computing environment including at least first and second partners that share a distributed file system is provided. One or more Trading Partner Agreements (TPAs) are negotiated between two or more of the at least first and second partners. Each said TPA specifies any resources allocated by the partners in the TPA, a transport protocol to be used by the partners in the TPA, and a security mechanism to be used by the partners in the TPA. A security policy is formed from the TPAs. Such activities may be performed at design time in certain example embodiments. At run time, the method may further comprise, for example, running an algorithm to determine a target partner or target partner instance to which an executable from a source partner or source partner instance is to be distributed; transferring the executable to the target partner or target partner instance in accordance with a TPA negotiated between the target partner or target partner instance and the source partner or source partner instance; and invoking the executable on the target partner or target partner instance within constraints specified by the security policy.
In certain example embodiments, a cloud computing system is provided. The system includes a plurality of partner servers and/or partner server instances. A distributed file system is shared by the plurality of partner servers and/or partner server instances. A software module comprises an algorithm that, when executed, determines a target partner server or target partner server instance to which an executable from a source partner server or source partner server instance is to be distributed. One or more Trading Partner Agreements (TPAs) are negotiated between two or more of the plurality of partner servers and/or partner server instances. Each said TPA specifies any resources allocated by the partner servers and/or partner server instances that are a party to the TPA, a transport protocol to be used by the partner servers and/or partner server instances that are a party to the TPA, and a security mechanism to be used by the partner servers and/or partner server instances that are a party to the TPA. A security policy is formed from the TPAs. The source partner server or source partner server instance includes a first processor configured to cause the executable to be transferred to the target partner server or target partner server instance in accordance with a TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance. The target partner instance or target partner instance includes a second processor configured to invoke the executable, once received, on the target partner instance or target partner instance, within constraints specified by the security policy.
In certain example embodiments, a computer-implemented method for sharing resources among and/or between partners in a virtual organization is provided. The partners adhere to Trading Partner Agreements (TPAs) negotiated between at least two of said partners in the virtual organization. An algorithm is run to determine a target partner server or target partner server instance to which an executable from a source partner server or source partner server instance is to be distributed. The executable is transferred to the target partner server or target partner server instance in accordance with a TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance. The executable is invoked on the target partner server or target partner server instance within constraints specified by a security policy, the security policy including each said TPA. The TPA specifies: any resources allocated by the partners in the TPA, a transport protocol to be used by the partners in the TPA, and a security mechanism to be used by the partners in the TPA.
These aspects and example embodiments may be used separately and/or applied in various combinations to achieve yet further embodiments of this invention.